Banks Struggle To Get ATMs Off Windows XP

Most ATMS still run on Windows XP, according to one industry estimate. With less than nine months until Microsoft stops supporting the OS, a credit union exec explains why upgrading is so painful for financial institutions.

8 Windows 8 Apps Under $25

(click image for larger view and for slideshow)

They're so commonplace that you'd be forgiven for forgetting that they're computers, albeit limited to a single application: Handling cash.

Automated teller machines, better known as ATMs, are indeed computers, though, even if we don't think of them in the traditional "PC" sense. There's a screen, a keypad, a user interface. Under the hood, there's memory, a processor and other hardware. There's also an operating system -- and if you had to bet your checking account, the smart money would say your ATM runs on Windows XP.

"It's like any other Windows-based PC," said John Campbell, manager of the automated delivery systems department at Virginia Credit Union, in an interview. "I tell the new hires here at work 'remember, your ATM is just this' -- and I point to the PC on their desk. And just like a PC at work or at home, Windows gets grumpy [in certain scenarios]."

Most ATMs used to run on IBM's OS/2. That changed in the early 2000s, according to Campbell, when IBM began phasing out OS/2 and later announced it would end support for the software. Most OS/2 terminals were upgraded to Windows XP-based systems. Although that enabled a good deal more functionality and potential applications, it added an equal dose of complexity.

"Nobody was ever hacked in OS/2," Campbell said, noting the popularity of Windows as a target for online criminals. "There's a lot more behind-the-scenes work you've got to do with these ATMs than you ever had to do in the OS/2 world."

Virginia Credit Union, with more than $2 billion in assets, operates 16 branches that count state employees as their largest customer segment. The bank's 34 ATMs have all been upgraded during the last several years to modern, full-functioning terminals running on XP. That gives it much in common with the rest of the ATM industry.

Dean Stewart, senior director of core product solutions at Diebold, one of the major ATM service providers, estimated that around 75% of ATMs in the U.S. are based on XP. Microsoft will end support for the popular but aged OS on April 8, 2014, less than nine months from now.

Although some banks and credit unions, Campbell's included, are busy upgrading their fleets to Windows 7 before next April, you don't need to be a math major to figure out that plenty of cash machines will still be running XP after the support cutoff. "It's not a simple flip," Campbell said.

Atop the list of problems that poses: running an unsupported OS would render a financial institution non-compliant with payment card industry (PCI) requirements. If declared non-compliant in an audit, fines could run thousands -- even tens of thousands -- of dollars per month, a potentially crippling cost for smaller financial institutions, according to Diebold's Stewart.

There are lots reasons why XP remains the dominant software powering so many ATMs. Several of them should sound familiar to IT pros that handle OS migrations for their corporate PC portfolios: Budget, hardware performance, and compatibility issues should make a few heads nod in agreement.

Other factors are specific to the banking industry and the operational complexity of managing ATMs. To the end user, ATMs are quite simple: They take deposits and spit out cash. For folks in Campbell's shoes, they're expensive and complicated machines that require a lot of upkeep.

How hard could it be to build an embedded PC footprint as a cash transaction device? Cheap 5-10 year old mainboards, a cold single core processor, 1GB ram(if even that), a Disk On Module with a write filter copy of Windows 7 Embedded or maybe WinPE if desperate. This isn't difficult with Slackware or some minimalist linux either. It's just an operating system.

I agree fully with your statement of it being more hardware than software. I have witnessed first hand some of these smaller banks and the hardware they have is archaic (Serial ports and proprietary add-on cards). I think Microsoft has been fair about how long they will support XP. The OS is 13 years old and yes it was a favorite for most of us, but it is time to move on and upgrade. It is something all companies go through anymore and these small banks just need to bite the bullet and open their pocketbooks to get this corrected.

I don't understand why banks are having such a tough time. Granted, XP's resource requirements are different than WIndows 7 so a new motherboard is probably a good idea but aside from installers and applications that do not follow guidelines dealing with registry access and where to write user-context files, Windows 7 should run Windows XP applications. However, if the ATMs make use of older peripheral standards such as serial ports, parallel ports or other custom expansion boards that interact with the ATM's mechanics, that could cause a lot of fustration. Although there are USB-based adapters for these older technologies, I've found many to have extremely poor quality drivers leading to unreliable peripheral operation. An unreliable ATM or one that fails to feed bills (but thinks it did) would lead to unhappy customers and high support costs.

IMO -- this is probably not as much of a software problem as it is a hardware problem.

Regarding being unsupported and failing PCI audits -- that's a huge issue but I don't think it will be a security Armageddon. If banks lock down network access and use white listing technology that monitors executables on disk and in memory (plus NX or XD chip tech that prevents code execution in data areas), the system is pretty difficult to compromise.

Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.

Worries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?